You are not logged in.
Hi,
is it possible to reduce the default delay (10 seconds) the initram mechanism (encrypt hook) will wait during boot to get the key to unlock a full disk encryption? Is this default value of 10 seconds set in any config file?
Thanks
Last edited by gen2arch (2017-07-26 08:38:53)
Offline
This delay is determined by the iteration count, which is specified by the --iter-time parameters when the disk is first encrypted using cryptsetup's luksFormat option.
This can be changed as described here:
It's possible to change the key itercounts by luksChangeKey (change the key to the same key). Changing the master key itercount requires the LUKS header to be re-created as a whole, using cryptsetup-reencrypt --keep-key or the manual method http://unix.stackexchange.com/a/178722/30851
You should not do any of this without a backup.
However, by decreasing the iteration count, you are also decreasing the hardness of the encryption, although the default is usually 1 second, not 10 -- read 5.10 in Cryptsetup FAQs.
Also, to reiterate: back it up first!
Good luck.
Offline
Unless I'm misunderstanding then I've never come across this delay - The password prompt remains indefinitely until I enter my password.
Offline
Hi seadanda and slithery
thanks for your input!
In fact, the delay I'm talking of occurs when using an external drive that holds the passphrase of the encrypted disk, and the kernel is instructed to use the key on this external drive by the "cryptkey" directive in the kernel command line, cf:
https://wiki.archlinux.org/index.php/Dm … n#cryptkey
In this case a delay of 10 seconds is indicated during boot.
I'm not sure if this delay is in fact related to "iter-times"!
Thanks
Offline
He might be after the rootdelay or rootwait kernel parameters? *shrug*
Offline
He might be after the rootdelay or rootwait kernel parameters? *shrug*
seth thanks! this was exactly what I was looking for: "rootdelay=5" on the kernel command line makes the kernel only wait the indicated time of 5 seconds before it attempts to mount the encrypted root fs. Perfect.
Offline